A hacker exploited a SQL injection vulnerability on the Royal Navy Website to steal administrator passwords and usernames.
A hacker reportedly exploited a SQL injection vulnerability on the Website of Britain's Royal Navy, according to media reports
The incident took place Nov. 5, when a hacker known by the alias
TinKode is believed to have attacked the site and stolen passwords
and usernames. Right now, the site bears the message stating that:
"Unfortunately the Royal Navy's Website is currently undergoing
essential maintenance. Please visit again soon."
TinKode posted about the attack on Twitter and linked to his
security blog, where visitors could find more information about
the attack. The hacker, who is believed to be Romanian, has been tied
in the past to attacks against NASA and U.S. Army-owned sites as well,
Sophos Senior Technology Consultant Graham Cluley told eWEEK.
"TinKode's attack is particularly embarrassing for the British
Ministry of Defence, as just last month protecting against cyber-attacks was declared in the National Security Strategy to be a 'highest priority for UK national security'
alongside international terrorism, international military crises and major accidents/natural hazards," Cluley blogged.
"We can all be thankful that Tinkode's activities appear to be have
been more mischievous than dangerous," he added. "If someone with more
malice in mind had hacked the site they could have used it to post
malicious links on the Navy's JackSpeak blog, or embedded a Trojan
horse into the site's main page."
SQL injection is a well-known class of vulnerabilities found on
the Web. According to a recent report from White Hat Security, SQL
injections are the sixth most prevalent attack class, though cross-site
scripting and information leakage were in the lead by far. SQL
injection also was mentioned as a topic on the "2010 CWE/SANS Top 25 Most Dangerous Software Errors
" list released in February.
In an article here
eWEEK compiled a list of tips to help organizations prevent SQL
injection vulnerabilities before hackers get a chance to exploit them.
In a statement, the Royal Navy reportedly said that the Website had been temporarily suspended.
"Security teams are investigating," according to the statement
. "Access to this Website did not give the hacker access to any classified information."
"Hopefully efforts are in place now to secure any vulnerabilities
and reduce the chances of such a serious security breach happening
again in future," Cluley blogged. "It is to be hoped that the ultimate
impact of this attack will be egg on the face of the Ministry of
Defence (and better security practices in future), rather than a more
significant assault on a Website presenting the public face of an
important part of the armed forces."